The Information Commissioner's office (ICO) has sent a message to SMEs by fining a small Northampton games company for failing to prevent a 2015 breach.
Sally Anne Poole, enforcement officer for the ICO said in a statement, “regardless of your size, if you are a business that handles personal information then data protection laws apply to you.”
Boomerang Video Ltd, a Northampton-based company which trades under the name Boomerang, offers a video games rental service. Starting business in 2005, a third party built its website with, unbeknownst to Boomerang, a coding error within the login page.
Boomerang Video was assailed on 5 December 2014 with an SQL injection attack. The attacker then uploaded malware and got into its database. By the end of the month, It could access the names, addresses, primary account numbers and card expiry dates and security codes of 26,331 customers of Boomerang.
Though some of those account numbers were stored unencrypted, the attacker used information from the web server to decrypt the rest, the ICO said, “with ease”.
Boomerang did not realise this until January 9th 2015 when customers alerted them to the fraudulent use of their cards. Boomerang eventually received more than1,000 enquiries and complaints surrounding the breach.
The Information Commissioner resolved that Boomerang had failed to prevent unauthorised access to that data. The company had not carried out regular penetration testing, had not kept its decryption key secure and did not set a password hard enough for the hackers to be unable to crack. These practices, the ICO established, had been going on since 2005, since the site was created.
Poole added that, “for no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening. I hope businesses learn from today's fine and check that they are doing all they can to look after the customer information in their care.”
Boomerang has since taken action to better secure itself, and has had no further incident since, which the ICO commended it for. A spokesperson for Boomerang told SC Media UK in a statement that “we do not agree with all the details of the ruling, however, we have accepted it and would like to apologise to any customers who were affected by this criminal attack.”
"This is a classic example of the regulator's treatment of organisations that are 'negligent' rather than 'unlucky',” Dennis Slattery CEO of EDMworks told SC. Though the ICO is resolute in its decision to penalise, when the EU's General Data Protection Regulation comes in May 2018, those penalties will be far more threatening: “Expect much harsher treatment under GDPR for negligence 'that may cause the individual substantial damage or distress'. "